FIPS support for agent
We use a standardized security profile (OSPP) on our Red Hat servers. This goes hand in hand with the activation of FIPS.
FIPS ensures that only certain encryption algorithms may be used.
Using checkmk as an example (the last time I looked), the rpm also had MD5 in addition to SHA256 encryption. However, as soon as a weak encryption is present, the strong one can no longer be trusted. This means that the agent cannot be installed using rpm -i. If you also specify the --nodigest switch, it works.
However, as soon as the updater attempts an update, the additional switch is not used and you end up with an uninstalled agent (the old one has been removed, the new one cannot be installed).
If you use --nodigest, you violate the FIPS regulations and no longer meet the standard. In this respect, a workaround would be desirable.
(Comment from Matthias)
Comments: 5
Oldest
•
Newest
•
Most likes
•
Fewest likes
-
23 Aug, '24
MatthiasHighlighted comment
We use a standardized security profile (OSPP) on our Red Hat servers. This goes hand in hand with the activation of FIPS.
FIPS ensures that only certain encryption algorithms may be used.
Using checkmk as an example (the last time I looked), the rpm also had MD5 in addition to SHA256 encryption. However, as soon as a weak encryption is present, the strong one can no longer be trusted. This means that the agent cannot be installed using rpm -i. If you also specify the --nodigest switch, it works.
However, as soon as the updater attempts an update, the additional switch is not used and you end up with an uninstalled agent (the old one has been removed, the new one cannot be installed).
If you use --nodigest, you violate the FIPS regulations and no longer meet the standard. In this respect, a workaround would be desirable. -
24 Jun, '24
Mohamed Saleh AdminHi Mathew,
Thank you for adding your idea to the Ideas Portal.
The idea does not contain sufficient information, therefore, it is in state Clarification required. In order to move it to Under consideration status, and other users can comment and vote on it, could you please fill in the use case and the main problems that this idea would solve?
Thanks!
Warm Regards,
Your Checkmk Team -
26 Aug, '24
Martin Hirschvogel AdminThanks Matthias. This is solved via: https://checkmk.com/werk/17093
I will rename the idea with your comment, otherwise I would have to close it as it is not actionable (this is not a collection space, but should rather speak about concrete problems @Matthew. -
26 Aug, '24
Martin Hirschvogel AdminHello,
Good news! Your idea has been implemented into our software. The functionality is available upstream and will be published with the next major release.
See for more details werk https://checkmk.com/werk/17093.
Warm regards,
Your Checkmk team